Primary

Context

Netgear WG302v2 Command Injection Vulnerability in the ui_get_input_value Function

Vulnerability

A command injection vulnerability has been identified in the Netgear WG302v2 access point, affecting versions through 5.2.9. The issue arises in the 'ui_get_input_value' function, where the 'host' argument is manipulated, allowing attackers to execute arbitrary commands on the system. This vulnerability can be exploited remotely, without authentication.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a crafted request that includes a malicious payload in the 'host' parameter. The payload will be executed as a system command, taking advantage of the lack of input validation in the 'ui_get_input_value' function.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

7.5

exploitability

6.2

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

7.5

exploitability

6.2

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Netgear WG302v2 Command Injection Vulnerability in the ui_get_input_value Function

Vulnerability

Impact

Reproduction

Affected Products

Netgear WG302v2

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating